Cyber Security for Financial IndustryTSAM London 2017 - Technology & Operational Strategy Forum

Talal Albacha

@talal_basha1982

Talal.basha@owasp.org

I will start with takeaways

• Security should not be an afterthought

• SecDevOps

Agenda

• Intro

• Threats

• Reasons

• Solutions

Who is OWASP?Free & Open

Governed by rough

consensus & running

code

Abide by a code of

ethics (see ethics)

Not-for-profit

Not driven by

commercial

interests

Risk based approach

Mission

• Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks

AppSec

Visibility

Cycle

Audit

Developers

Infosec

Legal

Architects

Users

Research

Business

MonitorThreat

Create SecurityArchitecture

Define SecurityRequirements

Implement

Controls

Share

Findings

UnderstandLaws

Verify

Compliance

UnderstandStakeholders

Our Purpose & Our Core Values

OPEN: Everything at OWASP is radically transparent from our finances to our code.

INNOVATION: OWASP encourages and supports innovation/experiments for

solutions to software security challenges.

GLOBAL: Anyone around the world is encouraged to participate in the OWASP

community.

INTEGRITY: OWASP is an honest and truthful, vendor agnostic, global community.

Our Core Values

Our Purpose: The OWASP Foundation will be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.

Threats

Cyber attacks on Financial Industry

https://www.theguardian.com/business/2016/dec/19/gchq-asked-to-step-up-action-against-cyber-attack-threat-to-financial-services

This continue ..

Source: Cyber Risk Report 2016 highlights - HPE

Cyber Threats

Cost of events involving different attack vectors

Source: NEW TECHNOLOGIES,NEW CYBERTHREATS - Kaspersky Lab Report 2017

New threats related to:

Big Data

Privacy issues…

IoT

“Smart” kettle, thermostat…

Ransomware

Data access restrictions

Machine Learning systems

Chat bots…

Why this is happening

Two weeks of ethical hacking

Ten man-years of development

Business Logic Flaws

Code Flaws

Security Errors

Source: Cyber Risk Report 2016 highlights - HPE

OWASP Top Ten

17

Security weakness impact

18

2013 CISO Survey: Top 5 CISO Risks

Financial malware explained

Source: IBM (Financial malware explained white paper)

Solutions

Build an application security program, following projects will boost your start:

Train and Engage Dev team on:1A1 – Verify for

Security Early and Often

A2 – ParameterizeQueries

A3 – Encode Data A4 – Validate All Inputs

A5 – Implement Identity and

Authentication Controls

A6 – ImplementAppropriate

Access Controls

A7 – Protect Data A8 – Implement Logging and

Intrusion Detection

A9 – Leverage Security

Frameworks and Libraries

A10 – Error and Exception Handling

OWASP Top Ten Proactive Controls

Establish appsec operational process

Integrate with devops (SecDevOps)

Let the world help you.

Source: HPE

Questions